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Entanglement-based attacks, which are subtle and powerful, are usually believed to render quan- 
tum bit commitment insecure. We point out that the no-go argument leading to this view implicitly 
assumes the evidence-of-commitment to be a monolithic quantum system. We argue that more 
general evidence structures, allowing for a composite, hybrid (classical-quantum) evidence, conduce 
to improved security. In particular, we present and prove the security of the following protocol: Bob 
sends Alice an anonymous state. She inscribes her commitment b by measuring part of it in the 
+ (for b = 0) or x (for 6=1) basis. She then communicates to him the (classical) measurement 
outcome R x and the part-measured anonymous state interpolated into other, randomly prepared 
qubits as her evidence-of-commitment. 
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Quantum cryptography draws its power from the very principles of quantum mechanics, rather than, as with clas- 
sical cryptography, unproven assumptions about the hardness of certain computations Q . It has found its dominant 
J> ' application in quantum key distribution f|, which is provably secure (cf. [3] and references therein) and also im- 
l/"") ■ plementable with current technolo gy 0| . The "post-cold war" applications of cryptography concern such tasks as 
quantum coin tossing |H E i [5, El 0j llflj . quantum gambling ^l|], quantum oblivious mutual identification quan- 
tum oblivious transfer [13L Il4j and two-party secure computations 0, essentially concerned with secure processing 
of the private information of mistrustful parties to reach a public decision. These are closely related to quantum 
bit commitment (QBC) HJ.Q. a quantum cryptographic primitive for secure information processing. In a concrete if 
naive realization of bit commitment, the committer (called Alice) writes or 1 on a note, puts it into a safe, which she 
hands over to the acceptor (called Bob) as her evidence of commitment. Upon Bob choosing to enter the transaction, 
she gives him the key to the safe. The main point is that Alice should not be able to cheat by changing her mind 
after handing Bob the safe, nor should Bob be able to cheat by finding out about Alice's decision until after she gives 
him the key. A secure bit commitment is one which is (at least, exponentially in some security parameter) binding on 
Alice and unconditionally concealing (of her commitment) from Bob and thus prevents either party from cheating. 
However, it is generally agreed that secure QBC is impossible 0,^^ because of the possibility of an entanglement - 
O" 1 based ^| attack by Alice. Here a dishonest Alice sends as evidence of her commitment b € {0,1} towards Bob photons 
in entangled states instead of ones in a definite polarization state. The ensemble Xb and the corresponding density 
• i-h , matrix pb of possible states representing commit bit b should satisfy po — Pi in order to be indistinguishable to Bob. 
' Then, according to the Gisin-Hughston-Jozsa-Wootters (GHJW) theorem 01 > a purification of xo can be rotated 
remotely to that of \i- Therefore, by delaying her measurement until after unveiling, Alice can cheat by unveiling 
a state in xo or Xl- This powerful argument forms the basis of the no-go argument for QBC. Related quantum 
two-party secure computation protocols |15| , simultaneously secure against both Alice and Bob are also believed to be 
impossible, except in a relativistic scenario [2(|, though a trade-off is permitted |2l|. Yet, ar gum ents have been put 
forward pointing out that the no-go result for QBC does not cover all possible QBC scenarios [22l 123. 124 l25l l2rj |27 | . 
This discrepancy is partly explained by the difficulty of characterizing all possible scenarios. An important step 
towards remedying this situation is a recent classification of protocols [2]j that includes anonymous-state based 
protocols, introduced by Yuen |24|, and thus allows for more general schemes than the Yao model [28[ assumed in the 
no-go argument. 

In a typical QBC scheme with BB84 encoding 2], qubits (photons) come in four possible preparations: in the 
rectilinear basis (denoted +), with horizontal (signifying 0) or vertical (signifying 1) polarization; else, in the diagonal 
basis (denoted x) with polarization oriented at 45° (signifying 0) or 135° (signifying 1). During the commitment 
phase, Bob receives from Alice an evidence-of-commitment, whose state she unveils along with b in the unveiling 
phase. The new protocol we present differs from this pattern in three significant ways: inclusion of Bob's anonymous 
state, the classical component of the evidence, and Alice's use of decoy qubits. The first two features are indispensable. 
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II. THE NEW PROTOCOL 

We present herebelow a new protocol, denoted P, the proof of whose security against entanglement-based and other 
attacks is given thereafter. For simplicity, it assumes a noiseless channel but can easily be extended to the noisy case. 
Let m,n,p,q be four pre-agreed security parameters such that l«m«H«p,g. The complete honest protocol 
consists of three phases: (1) pre-commitment phase, (2) commitment phase, (3) unveiling phase. The intervening 
period between the commitment- and unveiling-phase, sometimes called the holding phase, can be arbitrarily long. A 
note on notation: [y, z]b represents a function that takes value y (z), when 6 = (b = 1). 

1. Pre-commitment phase: 

(a) Bob chooses two random, unknown-to- Alice, p-bit strings Rb G {0, 1} P and r/ G { + , x} p . He prepares the 
pure, separable p-qubit state \Rb)t) = l-Rs(l))r;(i) ® • • ■ (8 \Rb(p)) ri(p) ■ 

(b) He sends the anonymous state \Rb)t) to Alice over a quantum channel. 

2. Commitment phase: 

(a) Test for random mixing: Alice randomly chooses (p — n)/2 qubits from \Rb)tj and measures them in + basis 
and checks that she obtains almost equal and 1 outcomes. She repeats the same for x basis. (If even one 
of the checks fails, she aborts the protocol run, convinced that Bob biased the system he sent her.) The 
measured qubits are discarded. We denote by I-Rb)^ the state of the n undiscarded qubits remaining with 
her, and by P the p-bit string specifying the positions of the undiscarded qubits. The tilde (over R and 
rf) denotes restriction to the undiscarded qubits. During discarding, the ordering of the surviving qubits is 
preserved |29|. 

(b) Measurement on m undiscarded qubits: She generates a random n-bit string x S {0, 1}™ of Hamming 
weight m (ie., number of l's is m). Of the surviving qubits, a qubit i for which x(i) — 1 (x(i) = 0) is called 
'marked' ('unmarked'). To commit to b = (b = 1), she measures the m marked qubits in the + (x) basis. 
The m-bit measurement outcome is denoted R x . 

(c) Introduction of decoy qubits: Alice chooses a random g-bit string Q of Hamming weight n (<C q). She 
creates a q-qubit state as follows: in slot i, if Q(i) — 0, she inserts a decoy qubit in an arbitrary state, 
else she inserts an undiscarded qubit, in sequential order. The resulting state is denoted \Ra)g, where 
R A e {0, l} 9 and 9 G {+, x}« [if. 

(d) Evidence communication: She communicates to Bob the triple [P, R x , \Ra)o) as her evidence of commit- 
ment: P and R x over a classical channel, \Ra)b over a quantum channel. 

3. Unveiling phase: 

(a) Alice announces Q, b and x. 

(b) Using Q, Bob locates and removes the decoy qubits. Using x, he locates the n — m unmarked (undiscarded) 
qubits, and verifies that he recovers l-R^)^', where the prime denotes restriction to unmarked qubits. 

(c) Measuring all marked qubits in the basis [+, x]b, he verifies that he obtains outcome R x . 

(d) On the marked qubits, if [+, x] b = 77" (z), he checks that \Rx(i))[+,x] b = l^s(*))»?"(i): where the double 
prime denotes restriction to marked qubits. 

The basic intuition behind the protocol can be summarized as follows: Alice encodes b by measuring part of the 
anonymous state sent by Bob in the + (for 6 = 0) or x (for 6=1) basis. She then communicates the (classical) 
outcome R x and the part-measured anonymous state to him as evidence. Announcing R x almost entirely deprives her 
of the freedom to depart from honest execution because the measured qubits were in unknown-to-her states prepared 
by Bob. On the other hand, Bob is unable to exploit his prior knowledge of \Rb) v and received knowledge of R x on 
account of her insertion of decoy qubits, which serve as "junk" information, preventing him identifying the "signal" 
qubits. A more detailed proof is given herebelow. 

A. Security against Bob 

Before the unveiling, because of his prior knowledge of \Rb)t] and Alice's announcement of R x in step 2(d), Bob 
knows that an m-qubit subset of quantum evidence received from Alice is in the state \R X ) K , where k is all + or 
all x and another, (n — m)-qubit subset in the state originally prepared by him. If Bob knew which n qubits were 
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non-decoy qubits, he could measure them all in the fj basis, and based on the departure from \Rb) fj, he could with 
high probability (= 1 — (l/2) m / 2 ) determine b. And if he knew which m qubits were marked, he could measure them 
all either in + or x basis, and based on the departure of outcomes from R x , he could similarly with high probability 
(= 1 — (1/2)™) determine b. But in both these he is thwarted by the classical combinatorial uncertainty arising from 
the exponentially large number of ways in which Alice's n non-decoy qubits could be scattered among the q return 
qubits: for n <C q, Q could have been chosen in about (q/n)2 n ways [31j. So the probability that knowledge of R x 
and \Rb)ti will help him to correctly infer b is exponentially small in n. For the same reason, he is unable to employ 
an entanglement-based attack wherein he sends entangled qubits, and by pairing up Alice's return qubits with their 
hidden entangled counterparts, tries to identify b by comparing correlated measurements in some fixed basis. As a 
result, from Bob's viewpoint the quantum system sent by Alice is exponentially close to the maximally uncertain state 
2~ q f 2 I® q . Finally, we note that if he biases \Rb)ti by sending all qubits in an identical state (or with the distribution 
of O's and l's being basis dependent), Alice will most certainly detect this in step 2(a). This completes the proof of 
security against Bob. 

B. Security against Alice 

Her evidence consists of an auxiliary, two-part classical component (P, R x ) and a quantum component {\Ra)b)- We 
will find that the origin of the security against Alice is that the classical component of the evidence restricts what she 
can achieve by nonlocally influencing the state of the quantum evidence, thereby constraining her to play honestly. 
A classical record has only one possible ensemble realization: it cannot be set in a superposition state. In particular, 
it does not permit two distinct equivalent ensembles that can be rotated into each other in the sense of the GHJW 
theorem. Therefore, no entanglement-based attack based on (P,R X ) is possible. Another way to see this is that if 
Alice could alter (P, R x ) via entanglement, this would have led to super luminal signaling [32ll33| . Hence any possible 
attack on her part should be based on a fixed (P, R x ) after step 2(d). Further, she is restricted by quantum no-cloning 
|34| and Heisenberg uncertainty from knowing about \Rb)t] and must operate within the confines of this ignorance. 

From Alice's viewpoint, \Ra)b factors into three distinct sectors: the n — m unmarked qubits in an unknown-to-her 
state (£ 7i„, the unmarked subspace), the m marked qubits in a known-to-her state (€ Tic, the coding subspace) and 
the q — n decoy qubits in a known-to-her state (G TLv, the decoy subspace). The state of the quantum evidence is 
given by \Ra)o = \4>) ® \R'a)o' <S> \R x )[ + , x ] b ^TLe = TLv®TL v <8 He- Now, she must leave the system TL V untouched in 
order to pass step 3(b), where Bob checks that the unmarked qubits remain unmeasured. Therefore, no attack may 
involve this sector. Further note that the announcement of P means that discarded qubits can never be unveiled as 
marked or unmarked qubits. Therefore, Alice's any possible attacks should be confined to the subspace TLv ®TLc- To 
prove security, we need to show that no attacks exist that can pass Bob's both checks in steps 3(c) and 3(d). We first 
consider attacks not based on entanglement. 

a. Attacks not based on entanglement: Suppose she executes step 2(b) honestly with 6 = and announces R x in 
step 2(d). Her chances of dishonestly unveiling b = 1 by unveiling \R x )+ as \R X ) X , and hence passing Bob's check in 
3(c), is exponentially small because the overlap X (R X \R X ) + — (l/2) m ' 2 . Nor can she cheat by interchanging marked 
and decoy qubits: for while she can obviously unveil marked qubits as decoy qubits, the converse is not true. For 
example, suppose she prepares \R X }+ honestly, but dishonestly prepares m of her decoy qubits in the state \R X ) X • To 
unveil them as her marked qubits will allow her to pass test 3(c). However, unveiling the dishonest b = 1 will almost 
certainly (with probability (1 — 2~ m )) lead to her being caught in step 3(d). Here we note that if P were not part of 
evidence submitted in step 2(d), then she could have cheated simply by introducing suitable discarded qubits found 
in the state \R X ) X among the decoy qubits. 

b. Mayers-Lo-Chau attack: Let us consider the prospects of an entanglement-based attack. The main point 
here is that Alice should have made her honest measurement before evidence communication step 2(d). If, without 
measuring, she announces an arbitrary R x , entangling and deferring her measurement, her chance of escaping step 
3(c) is 2~ m (the probability to obtain measurement projection \R X ) K {R X \ K where k is all + or all x). Next, we 
note that for the reason mentioned in the preceding paragraph, decoy qubits cannot be passed off as marked qubits, 
because of step 3(d). Therefore, any attempt at an entanglement-based attack must be restricted to sector He- But 
here, we observe that \R X ) + (R X \+ = Pq ^ \R x )x(Rx\x = Pi, where the superscript C refers to He- Thus, these two 
ensembles, which code for her two possible commitments, conditioned on Bob's knowledge of R x , are inequivalent, 
with the consequence that a purification of p^ cannot be remotely rotated into one of pi in the sense of the GHJW 
theorem. It follows that an entanglement-based attack of the type envisaged by the no-go argument is not possible. 
Another way to see this is that if it were possible, it would lead to superluminal signaling. At the same time, the fact 
that Pq ^ pi does not lead to distinguishability with respect to Bob, because the state pb of the evidence as a whole 
indeed satisfies po = Pi- 

This elucidates how the composite, hybrid structure of the evidence in the protocol is essential to evade the no-go 
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argument, which implicitly assumes a monolithic (i.e., non-composite), purely quantum evidence, where He = He, 
i.e., the coding space is all of the quantum evidence. Of course, in such case, the requirement p = p 1 on He would 
imply Pq — Pi, from which the Mayers-Lo-Chau attack follows. The desired twin features of security against Bob and 
that against Alice refer to different state spaces (He and He, respectively), that is, state indistinguishability to TLe 
(for security against Bob) and state inequivalence to He (for security against Alice). As a result, guaranteeing the 
former does not imply violation of the latter. 

c. Weaker entanglement-based attacks: Now that we have demonstrated security against the standard 
entanglement-based attack, we turn our attention to weaker attacks. The Mayers-Lo-Chau attack, where applicable, 
is characterized by: 

Pfheat - 1/2 =► PunveilW - L W 

where P^ nvc n(b) is the probability that Alice can successfully unveil b, and p^ cat is Bob's cheating probability. The 
minimum value (1/2) of pf hcat corresponds to a plain guessing chance for Bob. Eq. Q says that if the probability for 
Bob to cheat approaches the guessing value, then that for Alice to unveil any value of & is 1. A more general attack 
we can envisage is one characterized by: 

pg cat - 1/2 =► p^ nvcil (6) - 0(b), (2) 

where 0(b) does not vanish asymptotically as a function of any security parameter. It would seem reasonable to 
require that at least one of the two 0(b)' s should be 1, meaning she can cheat with complete certainty for at least one 
value of b. Yet, in this general criterion, we won't even demand that. For example, it could be that 0(0) = 0(1) ss 0.5. 
Now, why would Alice want to launch such a weak entanglement-based attack, where she is not quite sure what b she 
will have to unveil? One possible scenario is that she is an unknown player, who loses nothing even if her dishonesty 
is detected. The main point is that where a weak attack exists, A = mm{0(b)} > (counting the Mayers-Lo-Chau 
attack as a special case where A = 1). We seek security even against this more general condition, such that A = 
(asymptotically). A protocol for which < A < 1, which is secure against a standard entanglement-based attack, but 
not against a weak attack, is called weakly secure. A protocol for which A = (asymptotically) is said to be strongly 
secure. 

An example for a weakly secure protocol, P', is as follows: modify step 2(b) in the above protocol to one wherein 
Alice, instead of measuring m anonymous qubits, prepares and interpolates an m-qubit state |i?a;)[ +iX ] b in the marked 
positions among n — m unmarked anonymous qubits. In step 2(c), she does not introduce decoy qubits, but scrambles 
the n-qubit state in H v <8> He according to permutation II in such a way that the relative ordering of the marked 
qubits among themselves remains fixed. In 2(d), she sends R x and the system H v ® He as composite evidence. In 
step 3(a), she announces b, x,H. Obviously, step 3(d) is dropped. It may be verified that this protocol is secure 
against Bob and against a standard entanglement-based attack by Alice for the same reasons as P. However, it is only 
weakly secure because the following weak entanglement-based attack exists: in step 2(c) Alice interpolates the second 
register in the state |£) = (l/^/2)(\0)\R x ) + + |l)|i? x ) x ). After the commit phase, she measures the first register and 
unveils b = (b = 1) if she finds 0(1). She has 50% chance of cheating successfully. The protocol is characterized by 
A = 0.5 = 0(0) = 0(1). 

We now demonstrate that the protocol P is strongly secure. To this end, one needs to consider if there is an optimal 
measurement |35) she can perform in 2(b) to obtain a value of R x that, with a finite probability independent of m, is 
an outcome she could obtain in both + and x basis. If yes, she can create the state \Q and proceed as the attack on 
P'. To see that this is exponent ially impossible, we note that there is exactly one bit-string R x consistent with being 
unveiled in both + and x basis 36]. Further, before measurement in step 2(b), the m marked qubits are, from Alice's 
viewpoint, maximally uncertain, i.e^, the density operator is given by 2~ m /® m . It follows that there is no general 
positive operator- valued measure 133,113 that can yield this special outcome with a probability greater than 2~ m . 
Hence the chance that she can obtain an R x that is a possible valid outcome in both + and x basis, and thus launch 
a weak attack using a \Q based on such R x , is exponentially small in m. This completes the proof of security against 
Alice's weak entanglement-based attack. 

III. CONCLUSION 

In contrast to a no-go result like no-cloning |34|. that for QBC is more complicated to characterize. The reason is 
that whilst cloning is a single well-defined physical process, QBC is a cryptographic task, whose decomposition into 
individual processes can be model-dependent, with no obvious indication of the 'most general' model. For the no-go 
argument to be truely universal, it must demonstrate that the model (denoted, say, M) which it proves insecure is the 
most general allowed. In retrospect, some scope-restricting features of M are evident. It appears that these features 
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may have been assumed because M builds QBC implicitly on the basis of classical bit commitment adapted to include 
the Yao model for two-party protocols |2g] • 

For one, modelling the evidence as a monolithic, (i.e., non-composite), purely quantum system that encodes b, it 
fails to explore more general evidence structures and their security implications. In our protocol, the evidence is 
composite and hybrid (classical-quantum), with two classical (R X ,P) and three quantum (He = T~tv <8 T~l v ® 'He) 
parts. This composite and hybrid structure and the inter-relation between the constituent parts is critical to the 
protocol's security. Second, the no-go argument assumes that any QBC scheme can be reduced before unveiling to 
an equivalent scheme in which Alice and Bob share a mutually known entangled state. But this is incompatible with 
the use of the classical component (P, R x ) of the evidence since a classical system cannot be put into a superposition, 
let alone be entangled. 

Finally, in the light of our result, some issues concerning no-go arguments in quantum "mistrustful" cryptogr aphy 
merit careful consideration. We can expect to secure coin tossing by building it on top of the proposed QBC |39| . 
Hence, it is important to clarify how our protocol relates to no-go arguments for coin-tossing, e.g., the result for the 
lower bound on the number of sequential rounds for a given bias in the quantum coin tossing, proposed in Ref. [Icj . 
or the impossibility of ideal coin tossing, advanced in Ref. It turns out our scheme does not directly affect them 
in that, being proposed after the discovery of the Mayers-Lo-Chau attack, they were designed to be independent of 
the security of QBC. But now these no-go results must be qualified as pertain ing to coin tossing protocols not built on 
QBC |4jj. Simil arly , we can also expect to secure quantum oblivious transfer |28| by basing it on of the proposed QBC 
scheme. Kilian |42j has shown that, in classical cryptography, oblivious transfer can be used to implement protocols 
such as oblivious circuit transfer, which is related to secure two-party computation. This chain of arguments re-injects 
hope into the realizability of quantum versions of "post-cold war" cryptographic tasks. 
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